...
Besides, to facilitate the management of the MinIO cluster (buckets, policies, users...), so that a user can browse the structure of directories and files of a bucket through a web UI, and so that other applications can be integrated via REST API, MinIO has the MinIO Console module. This module connects to the MinIO Object Storage server, and offers all those services without storing anything itself, : all management concepts residing reside in the MinIO Object Storage.
...
To integrate the MinIO console within the platform's control panel, we had to made a set of technical decisions, mainly derived from the following problems:
The MinIO console web UI is exposed using an http address without a contextpath (http://minioconsole/). This poses a problem when exposing it to the Internet (within a controlpanel iframe), since
...
it can not use a proxy_pass on the loadbalancer that redirects to the internal MinIO console endpoint.
MinIO exposes the web console with a set of security headers that prevent the console from being easily integrated into an iFrame, so certain headers have to be filtered through an intermediary (NGINX)
The MinIO session cookie is created with the SameSite attribute set to LAX, which prevents it from being displayed in an iframe – so we will have to replace the MinIO cookie with one generated by us from the
...
control panel.
The MinIO console has its own menu, meaning that, if it is integrated directly into the platform, it can be quite a confusing screen. To avoid this, we have touched the MinIO console code to remove the menu and some other options.
For problem #4, we have chosen to have two MinIO consoles:
...
Minio-browser: Modified MinIO console to remove the menu and other options that allow the users to leave the administration of their bucket. This is the console displayed on the MyFiles page of the controlpanelcontrol panel:
...
Having modified this console, we now manage its source code, its built, and its release as a container ourselves. Its location in the repository is:
Where we where you can find a README.MD with the instructions of what has been touched in the source code, how the Front is compiled, and how the Docker image is generated to publish it later with a push in the registry: : registry.onesaitplatform.com/minio/console
Note: Before modifying the console and testing to generate the image, you must:
Install Go.
Install node:
sudo apt install nodejs
Install yarn:
sudo apt install npm
sudo npm install -g yarn
With this, now you can follow the steps described in the README.MD:
Compile the Front: From /console-0.10.1/portal-ui
yarn install
make default or yarn default
To test it locally, once the front has been compiled, you have to build the project and run it. This is done:Para probarlo en local, una vez compilado el front, habria que construir el proyecto y ejecutarlo. esto se haceis the way it is done:
Compile the project: From /console-0.10.1
make install
Test it by starting the console from $HOME/go/bin
export CONSOLE_PBKDF_PASSPHRASE=SECRET
export CONSOLE_PBKDF_SALT=SECRET
export CONSOLE_MINIO_SERVER=http://<minio-server>:<minio-port>
./console server --port=9001
MInio-console: Generic MinIO console. We use the containerized image from the official release of the MinIO console. This is the console that is displayed to administrators when they select the Minio Console button.
...
Problem #1 is resolved solved by exposing the minio consoles as subdomains instead of mediating a context-path. To do this, we you have to add both subdomains in the DNS of the installation or in the hosts file of the PCs that are going to access the console. E.g:
minioadmin-development.onesaitplatform.com
miniobrowser-developmentonesaitplatform.com
These subdomains are solved in the loadbalancer by adding a “server” type entry for each of them. This can be done by adding both files to nginx/conf.d/
...
For miniobrowser-development.onesaitplatform.com:
Code Block |
---|
server {
listen 80;
server_name miniobrowser-development.onesaitplatform.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_hide_header X-XSS-Protection;
proxy_hide_header X-Frame-Options;
proxy_hide_header 'Access-Control-Allow-Origin';
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
proxy_connect_timeout 500;
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
proxy_pass http://minio-browser:9090/;
}
}
|
If needed, add the corresponding include in nginx.conf
Code Block |
---|
include /usr/local/conf.d/minio-browser-nginx.conf;
include /usr/local/conf.d/minio-console-nginx.conf; |
Problem #2 is solved with the header configuration added (we add some and remove others) in the previous step when we yu create the console server in NGINX.
...
Problem #3 is solved with code in the ObjectStorageController.java class, where we you log in to the MinIO console via REST API and create the session cookie in the browser programmatically.
...
It is very important to configure the cookieDomain correctly (it is done through the configuration in Endpoint Modules in the control panel), which must be the superior domain to which the subdomains created for the MinIO consoles belong:
E.g.: for miniobrowser-development.onesaitplatform.com –> It has to be set to “onesaitplatform.com” “onesaitplatform.com”.
Likewise, the consoles must be exposed securely via HTTPs:.